Something just accored to me, we have a sophos email appliance. All incoming and outgoing email go through that box and it scans everything. Do you think that may be modifying the headers before it leaves our network?
From: Josh Daynard <josh.dayn...@icloud.com> Sent: Saturday, March 4, 2023 6:37 PM To: Salvatore Jr Walter P <walter.p.salvat...@warwickri.gov> Cc: Alessandro Vesely <ves...@tana.it>; mailop@mailop.org Subject: [EXT] - Re: [mailop] [EXT] - Re: [EXT] - Re: New member, trying to bring our mail server inline. On Mar 4, 2023, at 3:11 PM, Salvatore Jr Walter P via mailop <mailop@mailop.org<mailto:mailop@mailop.org>> wrote: Sorry, but I have no idea what any of that means? what is a z tag? I was curious as well and managed to find a decent resource here: [What-are-DKIM-Tags_.jpg] What are DKIM Tags?<https://easydmarc.com/blog/what-are-dkim-tags/> easydmarc.com<https://easydmarc.com/blog/what-are-dkim-tags/> Bottom line is that the verification error you’re seeing (“signature verification failed”) is an indication that one of the header fields being used to generate the DKIM signature (listed in the h= tag potion of the signature) is being altered *after* the signature has been generated but before the message is relayed to the destination domain. Looks like z tags can be used in the DKIM signature for debugging purposes … you can copy the original header values that were present during signing into this tag and then when signature verification fails, you can compare those values to what was actually received to see what was altered (assuming whatever altered the header(s) won’t touch the z= tag in your DKIM sig!). We had this problem early on due to some header fix-ups happening by the MTA post DKIM signing. You need to be sure that DKIM Signing is basically the last thing that happens before a message is relayed or at least that none of the header fields used to generate the sig are altered! You would get a different error if the public key couldn’t be retrieved or if the body of the message was altered (body hash mismatch). - Josh ___________________________ Walter P Salvatore Jr Systems Administrator Information Technology City of Warwick (401) 921-9663 https://www.warwickri.gov walter.p.salvat...@warwickri.gov<mailto:walter.p.salvat...@warwickri.gov> ________________________________ From: Alessandro Vesely <ves...@tana.it<mailto:ves...@tana.it>> Sent: Saturday, March 4, 2023 7:12 AM To: Salvatore Jr Walter P; 'mailop@mailop.org' Subject: [EXT] - Re: [mailop] [EXT] - Re: New member, trying to bring our mail server inline. On Fri 03/Mar/2023 21:39:46 +0100 Salvatore Jr Walter P via mailop wrote: Thanks Mark. I sent an email as suggested and it came back as a fail for DKIM. “I see you've included a DKIM signature. I've retrieved the public key from 1._domainkey.warwickri.gov The signature failed validation. The Auth Result is fail.” A failing signature should mean a header change. That's also what I get from your posts on mailop, signature verification failed (otherwise would 've been body hash mismatch). Can you turn on z= tags? Otherwise try carefully comparing the signed fields, from: subject: to: date:, message-id: and the signature itself. Check that no other filters alter those fields after signing. Can you sign messages off-line? Do Bcc: copies verify? (Use any off-line dkim verifier.) Good luck Ale -- _______________________________________________ mailop mailing list mailop@mailop.org<mailto:mailop@mailop.org> https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
